16 Feb

Optimising LEDE (OpenWrt) for the PC Engines APU2

I’m planning to get APU2 in near future, I found this article is useful for my future project and created a mirror here. Credit to original post.

The PC Engines APU2 is an embedded system based on AMD’s Jaguar family of processors. Many people prefer to run pfSenseon it, but since the rest of my hardware is alread on LEDE, it’s easier for me to stick with that; the APU2 will manage a network running other LEDE nodes, with customised images (see my article on UCI defaults for more information on that). To get an idea of all the tidbits the APU2 offers, the OpenWrt wiki page is a good starting point – since there are no subtargets anymore for x86/64 (alas), you have to install all extra packages manually to get full support for the hardware capabilities.

Default configuration

Because LEDE uses generic targets – a kind of catch-all – for the x86 and x86_64 platforms, by default it only configures eth0, the leftmost interface. It took me a while (coming from consumer platforms) to realise the images I built were fine, I just kept trying the two rightmost interfaces, figuring those were the LAN interfaces… So if you don’t seem to be getting an IP, try all of those ports. You never know. There’s also no WAN interface defined, so it won’t work as a router out of the box.

Hardware support

A stock LEDE image will boot just fine from internal mSATA/S-ATA storage or USB altogether. I have not been able to verify if booting off SD works yet.

Gigabit Ethernet

The APU2 comes with Intel’s i210AT or i211AT Gigabit Ethernet NICs, which need the igb driver on Linux. The stock x86_64 LEDE builds include this driver by default.

SDHC card reader

For the card reader, install the kmod-sdhci package. If you’d like to include it in your own build, enable it under Kernel modules > Other modules in the buildroot. To boot off an SD card, however, you need the following symbols to be enabled:


You can grep target/linux/x86/64/config-default for them, they should all be enabled by default. Add them to the same file if they aren’t. I have been unable to test so far if booting off SD cards works; I’ve seen some statements that the APU2 will ignore SD or USB 3 boot devices if there is an mS-ATa SSD installed.

USB 3.0 support

Booting off USB 3.0 works just fine out of the box – not much to add.

Temperature sensor

For basic temperature reading support – which may come in handy as you essentially rely on passive cooling – install the kmod-hwmon-k10temp package, or enable kmod-hwmon-k10temp in the buildroot under Kernel modules > Hardware Monitoring Support. Reading out the temperature is as simple as typing sensors:

# sensors 
Adapter: PCI adapter
temp1:        +53.2°C  (high = +70.0°C)
               (crit = +105.0°C, hyst = +104.0°C)

As you can see, though, it only reports one temperature instead of one per core.

VLAN support

For VLAN support, you need the 8021q module installed. The generic target statically includes it. You will find a package under Kernel modules > Network Support; however, this is only useful for targets that do not include the module by default. On targets like e.g. ar71xx or x86, it will just generate a package only containing a modprobe file, nothing more. You can set up tagged VLANs through LEDE’s framework -in /etc/config/network, e.g.:

config interface 'guest'
    option type 'bridge'
    option proto 'static'
    option netmask ''
    option ip6assign '60'
    option ifname 'eth1.20 eth2.20'
    option ipaddr ''

This will set up a bridge named br-guest, containing both eth1 and eth2, tagged with VLAN ID 20. This is standard; the bridge itself apparently does not get tagged, only the member interfaces.

# for i in eth1.20 eth2.20 br-guest; do ip -d link show $i; done
9: eth1.20@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP mode DEFAULT group default qlen 1000
    link/ether 00:0d:b9:41:45:61 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    vlan protocol 802.1Q id 20 <REORDER_HDR> 
    bridge_slave state forwarding priority 32 cost 4 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
10: eth2.20@eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP mode DEFAULT group default qlen 1000
    link/ether 00:0d:b9:41:45:62 brd ff:ff:ff:ff:ff:ff promiscuity 1 
    vlan protocol 802.1Q id 20 <REORDER_HDR> 
    bridge_slave state forwarding priority 32 cost 4 hairpin off guard off root_block off fastleave off learning on flood on addrgenmode eui64 
8: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 00:0d:b9:41:45:61 brd ff:ff:ff:ff:ff:ff promiscuity 0 
    bridge forward_delay 200 hello_time 200 max_age 2000 ageing_time 30000 stp_state 0 priority 32767 vlan_filtering 0 addrgenmode eui64

I can confirm this works as expected – for more info on VLANs on OpenWrt/LEDE, see my older post.

LED support

By default only the leftmost LED is active, and it just stays on. As of commit fe12d51, LEDE has a driver for the APU2’s PCB LEDs and reset button. I have backported this to my LEDE 17.01 builds.

GPIO header

The GPIO headers are controlled by the Nuvoton NCT5104D chip. To use them, enable the kmod-gpio-nct5104d package under Kernel modules > Other modules.

AMD’s cryptographic coprocessor (‘CCP’)

Enable the kmod-crypto-hw-ccp package under Kernel modules > Cryptographic API modules.

Hardware watchdog

Enable the kmod-sp5100-tco package under Kernel modules > Other modules.

Optimising LEDE for the APU2

GCC optimisation

GCC has its own target for the Jaguar SoCs. You can optimise by using the -march=btver2 -mtune=btver2 GCC options, with a recent GCC version. In the buildroot, enable Advanced configuration options (for developers), then tick Target Options and add the compiler flags to Target Optimizations. Do keep in mind though this will greatly limit your testing capabilites – I haven’t found a way to emulate a CPU supporting the same feature set yet, if you do, let me know, that would greatly simplify testing. For now I build a separate generic x86_64 build so I can test it in a VM, before deploying it.


One of the cooler things with the APU2 is it supports AES-NI, which is handy for applications relying on encryption (e.g. a VPN). LEDE enabled the necessary bits and bolts for that in the meantime.

Resizing partitions

Chances are you’ll be running conventional storage, so the default 4/48 configuration for the kernel and root partitions do not really use the space available. You can change this by setting the CONFIG_TARGET_ROOTFS_PARTSIZE= (for the root file system) and CONFIG_TARGET_KERNEL_PARTSIZE= for the kernel partition size.

UCI defaults

I have preconfigured my LEDE builds for the APU2 to set up a WAN interface on eth0 and a LAN bridge on the eth1 and eth2interfaces, as well as some other tidbits. Imho, if you want to deploy the APU2 with LEDE, prepping the network is a must.

LEDE discussion forum link for APU2

13 Feb

Arista EOS 101

This is a simple short notes taken from Arista Configuration Essentials (ACE) Lab Guide


Enter bash
switch# bash
switch-bash$ ifconfig -a
switch-bash$ top
switch-bash$ cd /mnt/flash

Upgrade EOS

Upload EOS to switch
switch# copy flash:

Verify image
switch# dir flash:

Configure boot image
switch# boot system flash: EOS-4.15.5M.swi

Verify boot-config
switch# show boot-config


Configure port channel for your peerlink
switch# interface Ethernet47-48
switch# channel-group 1000 mode active
switch# interface port-channel 1000
switch# switchport mode trunk

Configure a VLAN and trunk group used for MLAG peer communications
switch# vlan 9094
switch# trunk group mlagpeer

Assign the port-channel to the trunk group
switch# interface po1000
switch# switchport trunk group mlagpeer

Disable STP on the VLAN used for the MLAG peer
switch# no spanning-tree vlan 4094

Configure SVI for peer-to-peer communications
switch# int vlan 4094
switch# ip address
switch# no autostate

Configure local interface and peer address
switch# mlag configuration
switch# local-interface vlan 4094
switch# peer-address

Configure domain-d, peer-link & reload-delay on BOTH switches
switch# domain-id mlagDomain
switch# peer-link port-channel 1000
switch# reload-delay 200

Configure the MLAG interface (upstream interface to spine)
switch# int Eth31-32
switch# channel-group 999 mode active
switch# int po999
switch# mlag 999

Optional (configure Virtual ARP for downstream device)
switch# ip virtual-router address 001c.7300.0009 (for both switches)
switch# int vlan 2 (for both switches)
switch# ip address
switch# ip virtual-router address (for both switches)

Verify MLAG
switch# show mlag
switch# show mlag config-sanity
switch# show mlag detail
switch# show mlag interfaces
switch# show int po999


switch-XX# interface Vxlan 1
switch-XX# vxlan source-interface Loopback 1
switch-XX# vxlan vlan 101 flood vtep
switch-XX# vxlan udp-port 4789
switch-XX# vxlan vlan 101 vni 10000

switch-YY# interface Vxlan 1
switch-YY# vxlan source-interface Loopback 1
switch-YY# vxlan vlan 101 flood vtep
switch-YY# vxlan udp-port 4789
switch-YY# vxlan vlan 101 vni 10000

Verify vxlan
switch# sh vxlan vtep
switch# sh vxlan address-table


Configure port mirror to CPU (control plane)
switch# monitor session sniff source Eth33 both
switch# monitor session sniff destination Cpu

switch# bash
switch-bash$ tcpdump -i mirror1

*use the mirror number from “sh monitor session” output (Cpu : active (mirror1)

BGP Path Selection

11 Feb


RIB – Routing Information Base
FIB – Forwarding Information Base

This is a routing protocols database of routing prefixes that could potentially be installed in the routing table.
Derived from the control plane, it is not used for forwarding.
Every protocol such as OSPF, EIGRP, BGP has its own RIB and select their best candidates to try to install to global RIB so that it can then be selected for forwarding.
Is a selection of routing information learned via static definition or a dynamic routing protocol.
EX: show ip ospf databse show ip eigrp topology show ip bgp etc

The actual information that a routing/switching device uses to choose the interface that a given packet will use for egress.
Used for forwarding, information is derived from the RIB and from adjacency tables so that the packet can be rewritten with the correct encapsulation.
Is programmed by one or more RIB.
EX: show ip cef

07 Feb

Installing Guacamole on Raspberry Pi

Guacamole is a clientless remote desktop gateway. After successful implementation of this system on some PCs, now I want to use this on a Raspberry Pi 3 B+. Following is how I do the installation on Raspbian system.

OS Version: Raspbian GNU/Linux 9 (stretch)
  1. Upgrade the system:
$ sudo apt-get update
$ sudo apt-get upgrade
  1. Install the required dependencies:
$ sudo apt-get install libcairo2-dev
$ sudo apt-get install libjpeg62-turbo-dev
$ sudo apt-get install libpng12-dev
$ sudo apt-get install libossp-uuid-dev
  1. Install the optional packages:
$ sudo apt-get install libavcodec-dev libavutil-dev libswscale-dev
$ sudo apt-get install libpango1.0-dev
$ sudo apt-get install libssh2-1-dev
$ sudo apt-get install libtelnet-dev
$ sudo apt-get install libvncserver-dev
$ sudo apt-get install libpulse-dev
$ sudo apt-get install libssl-dev
$ sudo apt-get install libvorbis-dev
$ sudo apt-get install libwebp-dev
  1. Download Guacamole Server and Client packages:
$ wget http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-0.9.14.tar.gz
$ wget http://sourceforge.net/projects/guacamole/files/current/source/guacamole-client-0.9.14.tar.gz
  1. Build and install the server:
$ tar xzf guacamole-server-0.9.14.tar.gz
$ cd guacamole-server-0.9.14
$ ./configure --with-init-dir=/etc/init.d
$ make
$ sudo make install
$ sudo update-rc.d guacd defaults
$ sudo ldconfig
  1. Build the client:
$ sudo apt-get install maven
$ tar xzf guacamole-client-0.9.14.tar.gz
$ cd guacamole-client-0.9.14
$ mvn package
  1. Install jetty9 servlet container:
$ sudo apt-get install jetty9
  1. Deploy Guacamole:
$ sudo cp guacamole/target/guacamole-0.9.14.war /var/lib/jetty9/webapps/guacamole.war
$ sudo mkdir -p /etc/guacamole/extensions
$ sudo cp extensions/guacamole-auth-noauth/target/guacamole-auth-noauth-0.9.14.jar /etc/guacamole/extensions/.
  1. Copy following text and save it as “/etc/guacamole/guacamole.properties”
#    Guacamole - Clientless Remote Desktop
#    Copyright (C) 2010  Michael Jumper
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    GNU Affero General Public License for more details.
#    You should have received a copy of the GNU Affero General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

# Auth provider class (authenticates user/pass combination, needed if using the provided login screen)
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml

# NoAuth properties
noauth-config: /etc/guacamole/noauth-config.xml
  1. Copy following text and save it as “/etc/guacamole/noauth-config.xml”
    <config name="pi" protocol="vnc">
        <param name="hostname" value="localhost" />
        <param name="port" value="5900" />
  1. Copy following text and save it as “/etc/guacamole/user-mapping.xml”. The password is “raspberry”.
        <connection name="pi">
        <param name="hostname">localhost</param>
        <param name="port">5900</param>
        <param name="swap-red-blue">false</param>
        <param name="enable-audio">true</param>
  1. Install x11vnc VNC-Server:
$ sudo apt-get install x11vnc
  1. Copy following text and save it as “~/.config/autostart/x11vnc.desktop”
[Desktop Entry]
Name=X11 VNC
Comment=Remotedesktop Server
Exec=x11vnc -forever -nopw -rfbport 5900 -display :0
Comment[de_DE]=Remotedesktop Server
  1. Restart Raspberry Pi:
$ sudo reboot

At this point guacamole should be automatically started at system boot. You can try to open it from a web-browser, the address is “<ip-address>:<port>/guacamole”. On my network it looks like this “”.

In case you use headless system (Raspberry Pi without display attached) and you have poor display resolution, you can set the parameters in “/boot/config.txt” from this:



to this (for full HD resolution):



Restart the system and that’s it. Have fun!

Reference: http://www.m-opensolutions.com/?p=936

06 Feb

Odroid HC2 Heat Issue

The infamous heat issue with the Odroid HC2 is here. My simple solution is simply by plugging in cheap USB fan to the bottom of the case (I put my HC2 vertically for better heat dissipation). Below is the result.

CPU thermal reduction
3.5 HDD thermal reduction

And for the sake of comparison, here’s the CPU thermal reading for my RPi2 with no cooling (and running Node JS + Munin server)

Raspberry Pi 2 in a case, no fan